Self-Encrypting Key Management System

1. A method comprising: receiving, from an application, a request to perform a cryptographic operation with a specified application key, wherein the application is associated with a client identification; identifying a gateway associated with the client identification; identifying, by a processing device, a respective characteristic of each self-encrypting key management service of a plurality of self-encrypting key management services that correspond to the gateway, wherein each of the plurality of self-encrypting key management services is associated with a respective secure enclave of a plurality of secure enclaves, wherein the specified application key is encrypted at each of the plurality of secure enclaves by a respective secure enclave key of a plurality of secure enclave keys, and wherein the specified application key is stored in a shared storage resource accessible by each of the plurality of self-encrypting key management services; identifying a self-encrypting key management service of the plurality of self-encrypting key management services, wherein a characteristic of the identified self-encrypting key management service satisfies a threshold criterion; and sending the request to the identified self-encrypting key management service, wherein the request identifies, using an interface of the self-encrypting key management service, a type of cryptographic operation to be performed by a cryptographic operation component of the self-encrypting key management service.

2. The method of claim 1, wherein the characteristic of the identified self-encrypting key management service comprises a number of cryptographic operations for one or more other applications that are being performed by the identified self-encrypting key management service.

3. The method of claim 1, wherein the characteristic of the identified self-encrypting key management service comprises a number of cryptographic operations that have been performed within a threshold period of time.

4. The method of claim 1, wherein the characteristic of the identified self-encrypting key management service comprises a number of applications from which at least one request to perform a cryptographic operation has been provided to the identified self-encrypting key management service.

5. The method of claim 1, wherein the characteristic of the identified self-encrypting key management service satisfies the threshold criterion if a number of cryptographic operations being provided by the identified self-encrypting key management service is least among the plurality of self-encrypting key management services.

6. The method of claim 1, wherein the characteristic of the identified self-encrypting key management service satisfies the threshold criterion if a number of applications for which the identified self-encrypting key management service has provided cryptographic operations over a threshold period of prior time is least among the plurality of self-encrypting key management services.

7. The method of claim 1, wherein the threshold criterion comprises a threshold processing capacity criterion associated with the application, and wherein the characteristic of the identified self-encrypting key management service satisfies the threshold criterion if a processing capacity of the identified self-encrypting key management service satisfies the threshold processing capacity criterion associated with the application.

8. The method of claim 1, wherein the characteristic of the identified self-encrypting key management service satisfies the threshold criterion if a location of a first network server that hosts the identified self-encrypting key management service is nearest to a second network server that hosts the application.

9. The method of claim 1, wherein each of the plurality self-encrypting key management services receives one or more requests from the gateway.

10. The method of claim 1, wherein the client identification is specified in the request.

11. The method of claim 1, wherein the client identification identifies a user of the application.

12. The method of claim 1, wherein the shared storage resource is supported by a plurality of storage elements.

13. The method of claim 1, wherein each secure enclave key of the plurality of secure enclave keys is based on a respective internal key that is internal to a respective processing device of a plurality of processing devices, and is further based on an identification of a respective self-encrypting key management service of the plurality of self-encrypting key management services.

14. The method of claim 13, wherein the specified application key is stored at a first self-encrypting key management service, and responsive to a second self-encrypting key management service being created, the specified application key is securely provided from the first self-encrypting key management service to the second self-encrypting key management service.

15. The method of claim 13, wherein the specified application key is stored at each secure enclave of the plurality of secure enclaves.

16. The method of claim 1, wherein the interface of the self-encrypting key management service is one of: a Public Key Cryptography Standards (PKCS) #11 interface, a Key Management Interoperability Protocol (KMIP) interface, or a Representational State Transfer (REST) interface.

17. A system comprising: a memory; and a processing device, operatively coupled with the memory, to: receive, from an application, a request to perform a cryptographic operation with a specified application key wherein the application is associated with a client identification; identify a gateway associated with the client identification; identify a respective characteristic of each self-encrypting key management service of a plurality of self-encrypting key management services that correspond to the gateway, wherein each of the plurality of self-encrypting key management services is associated with a respective secure enclave of a plurality of secure enclaves, wherein the specified application key is encrypted at each of the plurality of secure enclaves by a respective secure enclave key of a plurality of secure enclave keys, and wherein the specified application key is stored in a shared storage resource accessible by each of the plurality of self-encrypting key management services; identify a self-encrypting key management service of the plurality of self-encrypting key management services, wherein a characteristic of the identified self-encrypting key management service satisfies a threshold criterion; and send the request to the identified self-encrypting key management service, wherein the request identifies, using an interface of the self-encrypting key management service, a type of cryptographic operation to be performed by a cryptographic operation component of the self-encrypting key management service.

18. The system of claim 17, wherein the characteristic of the identified self-encrypting key management service comprises a number of cryptographic operations for one or more other applications that are being performed by the identified self-encrypting key management service.

19. A non-transitory computer readable medium comprising data that, when accessed by a processing device, cause the processing device to perform operations comprising: receiving, from an application, a request to perform a cryptographic operation with a specified application key wherein the application is associated with a client identification; identifying a gateway associated with the client identification; identifying a respective characteristic of each self-encrypting key management service of a plurality of self-encrypting key management services that correspond to the gateway, wherein each of the plurality of self-encrypting key management services is associated with a respective secure enclave of a plurality of secure enclaves, wherein the specified application key is encrypted at each of the plurality of secure enclaves by a respective secure enclave key of a plurality of secure enclave keys, and wherein the specified application key is stored in a shared storage resource accessible by each of the plurality of self-encrypting key management services; identifying a self-encrypting key management service of the plurality of self-encrypting key management services, wherein a characteristic of the identified self-encrypting key management service satisfies a threshold criterion; and sending the request to the identified self-encrypting key management service, wherein the request identifies, using an interface of the self-encrypting key management service, a type of cryptographic operation to be performed by a cryptographic operation component of the self-encrypting key management service.